Given Iran’s inability to effectively challenge or deter better-prepared opponents, it has employed opportunistic destructive attacks to demonstrate its ability to retaliate. Particularly in the Middle East, Tehran can implicitly threaten cyber operations against the poorly defended economic and infrastructure resources of its opponents in the event of hostilities. Indeed, the disclosure of targets and victims of Iran’s regional cyber operations often include industries that appear to serve no other purpose than creating beachheads in rival countries, such as banks and airports.

The intended effects of disruptive operations can vary, ranging from intimidation to destruction for foreign targets, and from embarrassment to existential harm for domestic opponents. The targeting or compromise of systems can alone be sufficient to communicate Tehran’s willingness and capability to inflict damage on opponents. This echoes Iran’s occasional threat to close the Strait of Hormuz—through which nearly 60 percent of the world’s oil supply passes on any given day—during times of crisis. Given the opacity of the Iranian government, however, the intended messages and expectations being signaled from Tehran can be easily misinterpreted, risking unintended conflict or escalation.

Such destructive attacks are rare, however, compared to Iran’s espionage campaigns against foreign governmental and economic institutions. Increasingly these campaigns form not only the basis of retaliation during conflict but also an essential crisis response mechanism for handling emerging threats. For example, days after a September 2015 stampede killed over 450 Iranians attending the Hajj pilgrimage, domain names impersonating the Saudi government and Hajj Ministry were registered by known Iranian threat actors.73 As relations and communications rapidly deteriorated between the two countries, particularly over the fate of a missing diplomat, cyber espionage became an information gathering tool for Tehran.

Saudi Arabia aside, Denmark, Germany, Israel, and the United States are among the countries that have publicly disclosed espionage attempts by Iranian groups against their government, military, or scientific institutions.74 Tehran also targets neighboring countries throughout the Middle East. Despite the various threat actors that operate on behalf of the Iranian government, their behavior patterns—including whom they target—are generally consistent over time.

The United States and Europe

In September 2012, a group calling itself the Izz ad-Din al-Qassam Cyber Fighters announced it had begun a campaign of DDoS attacks against the U.S. financial sector. Prior to the campaign, the culprits had exploited vulnerabilities in the software of thousands of websites in order to create an attack platform under their control. With this army of servers located within well-connected hosting companies, the attackers could deluge their targets with high volumes of malicious traffic. In the first phases of Operation Ababil, the group targeted the U.S. banking infrastructure. Unprepared for such a volume of traffic (the U.S. Federal Bureau of Investigation stated the highest rate observed approached 140 gigabits per second, three times the capacity of the banks at the time), the victims’ databases and systems crashed from the dramatic increase in requests.

Subsequent phases of the campaign were less effective as the financial sector steadily improved its defenses. By the fourth attempted attack, in July 2013, little visible impact resulted. Still, by the FBI’s account, Operation Ababil locked hundreds of thousands of banking customers out of accounts for long periods of time and resulted in tens of millions of dollars in costs to remediate. An NSA briefing document also made clear the motivation for Operation Ababil: “[Signals intelligence] indicates that these attacks are in retaliation to Western activities against Iran’s nuclear sector and that senior officials in the Iranian government are aware of these attacks.”75

An NSA briefing document also made clear the motivation for Operation Ababil: “[Signals intelligence] indicates that these attacks are in retaliation to Western activities against Iran’s nuclear sector and that senior officials in the Iranian government are aware of these attacks.”

Operation Ababil remains the most destructive Iranian attack on the United States. While the International Atomic Energy Agency (IAEA) alleged that Tehran had electronically surveilled and tampered with the devices of visiting nuclear inspectors in 2011, little had been known about Iranian cyber espionage prior to 2012.76 That summer provided the first public indication that Iranian threat actors had staged campaigns to spy on rivals.77 The Madi malware campaign was reported to have compromised up to 800 victims over the course of a year. The countries and entities targeted were a harbinger of future Iranian cyber operations, including oil companies, U.S. think tanks, government agencies, engineering firms, financial institutions, and academia.

Several Western countries have provided evidence of Iranian cyber operations in indictments and security reports. In addition to Operation Ababil, Iranians were alleged to have gained access to the unclassified Navy Marine Corps Intranet, a system used to store unclassified information and communications, for several months starting in August 2013.78 In the 2016 edition of an annual Ministry of Interior security assessment, the German government cited Iran as a new source of cyber espionage against the country, a disclosure that aligned with reports that the Bundestag had been affected by a malware operation that targeted visitors of the Israeli newspaper Jerusalem Post.79

Iranians attempted to compromise the personal email accounts of members of the American team during the nuclear negotiations.

Overall, however, cases of successful Iranian intrusions into American and European governmental infrastructure are rare, particularly highly secured, classified networks . Government agencies are typically hardened beyond the capability of Iranian threat actors to penetrate them. Consequently, Iranians have sought softer U.S. targets, launching spearphishing attempts on the personal email and social media accounts of U.S. government employees. While personal accounts are less likely to contain classified government information, they are also less likely to be properly secured, and often contain useful information such as private material and traces of professional communications.

For example, Iranians attempted to compromise the personal email accounts of members of the American team during the nuclear negotiations.80 Similarly, after the 2016 U.S. presidential election, Iranian threat actors focused on former Obama staff, Republican members of Congress, supporters of Donald Trump’s campaign, conservative media organizations, and nominees for political appointments in an apparent attempt to acquire intelligence on the new administration.81 More recently these spearphishing campaigns have targeted critics of Iran in the U.S. Congress while new sanctions have been under consideration.

Tehran tends to target the foreign government personnel and agencies that focus on Iran, namely those in the United States or Europe who work on Iran policy or within Persian-language media, including Voice of America television and Radio Farda. Iranian threat actors have used the compromised accounts of prominent Iranian-Americans, international businessmen, and other dual nationals arrested by the IRGC to impersonate them and target the private email accounts of U.S. State Department personnel connected to Iran policy.

In contrast to the release of private emails by WikiLeaks during the 2016 U.S. election, which leveraged stolen emails for information warfare, Tehran’s compromise of State Department employees’ emails did not lead to visible sabotage or the disclosure of embarrassing material. While there have been dozens of attempts to target a wide array of American politicians and government employees, these intrusions were mostly opportunistic attempts that did not appear to escalate into more sophisticated operations.

Following the 2015 nuclear agreement, the incidence of covert action and retaliatory attacks between Washington and Tehran decreased. Reports of disruptive cyber operations against U.S. and Iranian infrastructure diminished, as Tehran focused more on domestic political opponents and regional adversaries, such as Israel and Saudi Arabia. Just as Operation Olympic Games provided Washington the ability to coerce Iran without direct military intervention, Tehran now engages in offensive cyber operations to project its regional power.

Saudi Arabia

No other country appears to have been the subject of as many offensive cyber operations from Iranian state-sponsored threat actors as Saudi Arabia. The two countries are ethnic (Arab vs. Persian), sectarian (Sunni vs. Shia), and above all geopolitical rivals, on opposing ends of bloody proxy wars in Iraq, Syria, and Yemen and fierce political battles in Bahrain and Lebanon. Relations between Tehran and Riyadh have often been tense since the 1979 Islamic Revolution, and formal diplomatic ties have been suspended intermittently due to political disputes. Most recently, in January 2016, Saudi Arabia closed its Tehran embassy after it was ransacked by an Iranian-government-sanctioned mob.

Saudi political and economic institutions have been compromised by Tehran for purposes of both espionage and disruption.

Since the start of Iran’s cyber operations, Saudi political and economic institutions have been compromised by Tehran for purposes of both espionage and disruption. In various reports on Iranian malware and credential theft campaigns—attempts to acquire passwords or account recovery information—Saudi Arabia has been one of the most common sources of victims and targets. This pattern reflects the two countries’ profound geopolitical and ideological disputes (intent), and Saudi Arabia’s continued vulnerabilities in cyberspace (opportunity).

Iran’s August 15, 2012, attack on Saudi Aramco during the Muslim Eid holiday (and a similar attack against Qatar’s RasGas Company two weeks later) is a prime example of how Iran uses offensive cyber operations to retaliate against foreign adversaries. As covert actions by foreign actors targeted Iran’s nuclear and oil infrastructure, previously unknown groups began staging disruptive attacks against economic infrastructure in Saudi Arabia and the United States, portraying themselves as independent hacktivists motivated by nationalism and Islamic values.

To avoid attribution, retaliatory acts were conducted using cutouts that provided them plausible deniability. In the Shamoon attack, known by the name given to the malware, tens of thousands of Saudi Aramco computers were compromised, causing tens to hundreds of millions of dollars in damage. One group, self-identified as the Cutting Sword of Justice, claimed responsibility for the attack, which overwrote the hard drives of Aramco computers with the image of a burning American flag, causing embarrassment to the company. Unlike the cyber operations conducted against Iran by foreign entities, the retaliatory attacks carried out by Tehran sought maximum visibility.

Shamoon’s message appeared clear: Iran may not always be able to defend itself against more advanced cyber capabilities, but it can impose substantial retaliatory costs against U.S. allies.

Initial analysis of the incident found that Shamoon was likely inspired by the Wiper malware that had targeted Iran in April 2012, given both destroyed stored data as a method of sabotage. Tehran was potentially motivated by retaliation for cyber operations against its oil production infrastructure. Shamoon’s message appeared clear: Iran may not always be able to defend itself against more advanced cyber capabilities, but it can impose substantial retaliatory costs against U.S. allies .

The tit-for-tat cycle of covert destructive attacks and symbolic retaliation seen with Shamoon and Ababil reflects Iranian security tactics witnessed in offline hostilities. Between 2010 and 2012, for example, several Iranian nuclear scientists were assassinated under mysterious circumstances, allegedly by the United States or Israel.82 In apparent retaliation, Tehran attempted, unsuccessfully, to assassinate Israeli officials in unexpected places like Georgia, India, and Thailand. This cycle, a recurrent theme in Iran’s covert actions, showed Tehran’s ability to learn from attacks and retaliate in a similar fashion, providing a potential framework for understanding its signaling and motivations in conducting disruptive cyber operations.83

Compared to Iran’s other adversaries (namely the United States and Israel), Saudi governmental and economic institutions have yet to sufficiently implement systems and protocols to increase national cybersecurity. Iranian actors have targeted a broad range of economic, military, and political institutions in Saudi Arabia—including Saudi Aramco and its foreign partners, the King Faisal Foundation, the Ministries of Commerce and Foreign Affairs, the Saudi Stock Exchange, and even Saudi Arabian human rights advocates. Researchers have documented multiple cases in which Saudi companies and organizations were compromised, in one event leading to the exfiltration of vast sums of archival proprietary data spanning multiple years from one industrial development corporation.84

Weak Saudi cyber defenses have not only made the country vulnerable to Iranian coercion but also made Riyadh a soft target for Tehran’s retaliation against destructive cyber operations performed by third countries. If Iran cannot cause significant damage to the United States during times of conflict, then damaging the economic institutions of American allies will suffice.

The campaign of coercive pressure continues as well: the Saudi Ministry of Defense and other networks sustained DDoS attacks at the same time as the attack on the embassy.85 When the Shamoon malware agent used in the Aramco incident reappeared in an updated form (labeled as Shamoon 2 by researchers) from November 2016 to January 2017, it destroyed databases and files belonging to both the government and private sector, including the General Authority of Civil Aviation, the Ministry of Labor, the Saudi Central Bank, and natural resource extraction companies.86 Shamoon 2 contained references to Yemen and overwrote the victims’ hard drives with an image of the drowned Syrian refugee child Alan Kurdi, once again signaling the attacks were retaliation for Saudi policies in Syria and Yemen.87

Israel

One of the consistent pillars in Iran’s foreign policy has been opposition to Israel’s existence and support for anti-Israeli militant groups, such as Hezbollah, Hamas, and Palestinian Islamic Jihad. Despite this, however, Tehran has been far less successful in cyber operations targeting Israeli institutions for disruption and espionage. The documents used as bait in the Madi operation were commonly written in Hebrew or referenced Israeli security policies, and researchers have documented fifty-four compromised entities in Israel during that campaign.88 During the conflict between Israel and Gaza in the summer of 2014, known as Operation Protective Edge, authorities claimed that the Israel Defense Forces’ infrastructure was targeted by DDoS attacks launched by a wide range of belligerents, including Tehran.89 These DDoS attacks would align with the known capabilities of Iranian threat actors, including the tactics used against the United States and dissidents.

Despite a history of DDoS attacks and defacements of Israeli websites, Tehran’s ability to inflict major costs on Israel through cyber operations has thus far been limited and perhaps diminishing.90 Given the sophistication of Israel’s cyber defense, Tehran has been forced to focus mainly on soft targets, for narrow espionage opportunities and the potential disruption of civilian resources in the event of conflict.

Iranian targeting of Israelis, like U.S. nationals, emphasizes individuals focused on Iran and regional policies. Tehran has engaged in spearphishing attempts against academic institutions, national security officials, diplomats, members of the Knesset, and Israeli aerospace companies. Similarly, Iranian actors have commonly created malicious domains that have emulated those owned by the American Israel Public Affairs Committee (AIPAC) and have targeted employees of both liberal and conservative Jewish organizations in the United States and elsewhere.

While Iran has had some success in compromising smaller civilian institutions, it has not visibly attempted to use these breaches coercively. The lack of immediate weaponization of breaches is demonstrative of how strategic calculations shape outcomes. The destruction of banking information or medical data over nonexistential challenges to the Islamic Republic is perhaps not worth inviting retaliation from Israel (a threat that Saudi Arabia lacks). Tehran’s desire for signaling a credible retaliatory threat against Israel through offensive cyber operations may also be sufficiently served by the mere compromise of such institutions. Cyber capabilities have certainly not altered the power dynamics between Iran and Israel, and the difference in technical capacities likely shapes Iran’s posture toward its adversary.

Regional Allies and Adversaries

While Tehran’s disruptive cyber operations in the region have primarily targeted Saudi Arabia, multiple Iranian threat actors have been observed targeting nearly every Middle Eastern, North African, and bordering country. For example, Magic Kitten successfully compromised victims across the Middle East and South Asia.91 This pattern has been repeated during Madi and subsequent operations up to the present.

Cyber espionage has provided Tehran further insights about its often politically unstable neighbors. Iranian threat actors have shown a recurrent interest in the infrastructure of neighboring countries, including Afghanistan’s National Radio, Ministry of Education, and government network.92 Other indicators also suggest an interest in Pakistan’s and Afghanistan’s security and defense organizations.93 Fictitious social media profiles and spearphishing campaigns have commonly targeted Iraqis, notably engineers within telecommunications networks and political elites. Iranian groups have also maintained an extremely active interest in the political institutions of Iraqi Kurdistan.94

In addition, multiple Iranian threat actors have engaged in spearphishing attempts against dozens of individuals affiliated with human rights organizations, political movements, and independent media outlets in Yemen, where Tehran is engaged in a proxy war with Saudi Arabia.95 The Israeli cybersecurity company ClearSky found that 11 percent of the targets of one Iranian credential theft campaign (Rocket Kitten) in 2015 were connected to Yemen. These operations specifically support Iran’s position in the Yemeni conflict, with recent attempts targeting prominent critics of the Houthis, the Shia Muslim group that Iran has been supporting in the country’s civil war.

Iranian actors have also reportedly targeted Syrian opponents of President Bashar al-Assad’s regime in limited cases, including exiled Syrian dissidents.96 There has been speculation that Iran has also supported the offensive cyber operations of its traditional allies Syria and Hezbollah, notably after Syrian dissidents became the target of sustained malware campaigns starting in 2012. Yet there is only limited evidence of technical cooperation, and little reason why either would be dependent on Iran for capabilities.

While there are credible indications that Tehran has provided Syria traditional electronic warfare equipment, the Assad regime apparently didn’t require extensive help with developing offensive cyber capabilities. An indigenous ecosystem of hackers organized by Assad’s relatives has proven effective at targeting the regime’s opponents from early into the civil war. Small groups of hackers in Syria have typically used spyware that is popular among Arab hacking communities against opponents of Assad. Conversely, while little is known about Hezbollah’s offensive cyber capabilities, in one 2015 report that described their malware and operations, the Lebanese group had seemingly outpaced its Iranian patron.97

The lack of external evidence of cooperation does not preclude other coordinated efforts or intelligence sharing, but basic cyber operations are easier than electronic warfare—such as signal jamming, radar collection, and signal location—or other military domains that require a defense industrial base.98 None of the known capabilities or incidents involved specialized knowledge that required external support, and all have independent profiles on how their operations are conducted. Iranians have not used the same commodity spyware as Syrian groups, suggesting that pro-Assad groups owe more to local hacking scenes than other states. Moreover, Iran’s lack of cooperation with allies or friendly foreign powers may reflect other factors influencing decisions to share resources. Allies still spy on allies: Iran could also want to withhold its toolkit to provide some oversight in contentious situations, such as monitoring the stability and loyalty of the Assad regime.

Commercial Targets

Unlike China, Iran has limited use for commercial espionage given its lack of an industrial production sector that could utilize stolen intellectual property. Iran’s industrial espionage activities serve to boost its commodities industries and military technological prowess rather than its domestic manufacturing sector. Nor has Iran attempted to offset the impact of economic sanctions through large-scale financial crime, as North Korea appears to do.99 Based on public reports and directly observed campaigns, the commercial entities targeted by Iranian threat actors typically fall into four categories:

Aerospace and civil aviation

Defense industrial base and security sector

Natural resources and extractive industries

Telecommunications firms

Evidence of Iran’s interest in the theft of defense secrets comes from several cybersecurity reports, observed incidents, and U.S. indictments. Nima Golestaneh, an Iranian national extradited to the United States from Turkey, pleaded guilty to supporting the October 2012 hack of Vermont-based defense company Arrow Tech Associates in an operation to acquire copies of their weapon system simulations to sell the software to Iranian government and military entities.100 This would prove to be a harbinger of later efforts.

In early 2014, in parallel to targeting Iranian women’s development programs and others, one threat actor (Flying Kitten) impersonated a website for an aerospace systems conference to spread malware to defense contractors, a tactic still used against the industry today. Another Iranian threat actor over the course of 2015 to 2016 repeatedly created phony corporate websites for Oshkosh Corporation, an American defense company, to capture credentials from its private internal business network, and continued to target aviation companies, including jet engine manufacturers and satellite companies. Reports of attempts of military espionage by Iranian threat actors are extremely common and include a broad set of industries, most notably aerospace technologies.

Yet these operations appear to have had limited success. Given their involvement in the defense industry, coupled with related concerns about Chinese industrial espionage, companies like Oshkosh prioritized information security in ways that NGOs have not. Consequently, while there is indication that employees are commonly targeted, even compromised, reports of the theft of highly sensitive defense secrets by Iran are rare.

The targeting of defense companies is also motivated by regional politics rather than solely theft of military technologies. Several defense industry companies targeted by Iranian threat actors, including Oshkosh Corporation, are substantially involved in providing security and military assistance to Saudi Arabia and other Gulf states. Many of the American companies—including Oshkosh Corporation—that were designated by the Iranian Ministry of Foreign Affairs in March 2017 under retaliatory human rights sanctions for their involvement with the Israeli military have also been targeted by Iranian cyber operations.101

As in other areas, it is difficult to derive intent purely from who was targeted or impersonated. In certain cases, it appears Iranian threat actors have compromised Middle East–based information technology consultants in pursuit of the governments or businesses who are their clients. These operations often target company employees based in the Middle East, potentially to acquire information on the military capabilities of rivals or access to other targets (such as supply-chain attacks). One more recent campaign masquerading as Boeing and Northrop Grumman appeared focused on Saudi Arabia’s military and commercial aviation sectors.102

Similarly, Iran’s targeting of telecommunications firms, banks, and civil aviation companies could provide them a foothold in critical infrastructure, one that could potentially cause substantial economic harm and even endanger lives. Thus far, however, Tehran appears to have used such targeting for reconnaissance purposes, mirroring other countries’ cyber activities.103 However, there are legitimate reasons to be concerned that Tehran’s intention in targeting critical infrastructure is to hold social and economic assets in adversarial countries at risk in the event it needs to escalate or retaliate during conflict.

Notes

73 Based on monitoring of known registration information used by Charming Kitten, suspicious domains include saudi-government[.]com and saudi-haj[.]com.

77 First disclosed by Kaspersky Lab and Seculert in July 2012; see “The Madi Campaign – Part I,” SecureList. While researchers noted the religious implications of the inclusion of the word “mahdi.txt” in the malware’s operations, other versions appeared to include other Persian names and words such as “otahare.” It seems more likely that the inclusion was not meant as a religious declaration.

78 Later attributed by Cylance as Operation Cleaver. Unnamed U.S. government officials had characterized the breach as “carried out by hackers working directly for Iran’s government or by a group acting with the approval of Iranian leaders,” see: “U.S. Says Iran Hacked Navy Computers,” Wall Street Journal, September 27, 2013,

81 Direct observation of the targets of the Charming Kitten group. The email addresses and names of those targeted in these campaigns appear to have been sourced from the Podesta emails released by WikiLeaks.

83 The attempted bombings occurred February 13, 2012, one month after the assassination of Mostafa Ahmadi Roshan (on January 11, 2012) and four years after the death of Imad Mughniyah (on February 12, 2008).

84 First hand observation of the activities of the Charming Kitten group, similar to the successful operation described in the Operation Cleaver report by Cylance.

92 Directly collected indicators from a sinkhole of malware associated with the Infy group.

93 For example, in Check Point’s Rocket Kitten report, included in the group’s infrastruture were domains mirroring the Afghan Ministry of Defense. Similar domains and targets can be found later that are connected to the same group.

94 Directly collected indicators from the Infy group; discussed further in relation to Iran’s targeting of ethnical minority groups.

95 Directly collected indicators from the Flying Kitten group. The recipients of these spearphishing campaigns included a wide range of journalists and political groups, such as the Coordination Council of Yemen Revolution Youth, Yemen Center for Human Rights, Social and Democracy Forum of Yemen, and Yemen Parliamentarians Against Corruption. The leaked NSA slide indicates that Magic Kitten also breached Yemeni computers, but the nature of the targets is unclear, and the document predates the onset of the civil war in Yemen.

Comment Policy

Comments that include profanity, personal attacks, or other inappropriate material will be removed. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, steps will be taken to block users who violate any of the posting standards, terms of use, privacy policies, or any other policies governing this site. You are fully responsible for the content that you post.

Popular Articles

Featured

The World Unpacked is a weekly foreign policy podcast, hosted by Jen Psaki, that breaks down the hottest global issues of today with experts, journalists, and policymakers who can explain what is happening, why it matters, and where we go from here.